Being a QSAC (Qualified Security Assessor Company), our clients frequently ask if they can achieve their continuing PCI penetration testing requirements in-house. This depends on a few variables.

An organisation's requirement for administering a yearly external and internal penetration test that also includes application testing is covered by PCI DSS requirement 11.3. This is different than the PCI DSS 11.2 requirement that deals with an organisation's requirement for running internal and external vulnerability scans quarterly, which must be run internally or by an ASV (Approved Scanning Vendor) respectively.

Each of these activities must also be performed either when changes take place in the applications, which includes upgrades, network, and infrastructure of the organisation, or at the mandated intervals.

From a technical perspective there are key differences in these requirements as well. To determine the magnitude of the issues and full business impact, the penetration test tries to take advantage of the vulnerabilities by exploiting them, while noted issues are just identified and reported by the vulnerability assessment. The penetration testing must include application layer tests, and is more manual and comprehensive as compared to the vulnerability scans internal infrastructure penetration testing.

The yearly penetration test does not need to be conducted by a party external to the organisation according to the guidance supplied from the PCI SSC. The testing, however, needs to be completed by a party that is well qualified, who is organisationally separate from the management of the systems being tested. All in-scope locations should be included in the penetration test, and the test should be appropriate for the size and intricacy of the organisation. Results from either black box or white box penetration testing approaches should be documented, with all systems and networks in the cardholder data environment included in the scope of the testing. Smaller organisations that have only limited resources could have some difficulty in demonstrating their adherence to these requirements.

Outsourcing these requirements to an organisation that can deliver comprehensive independent results and that is also wholly focused on the delivery of these professional services is usually preferred by larger organisations. Penetration testing should not only be conducted to meet compliance obligations. What this testing should do is lead to an improved security posture, and this is believed by many to be best accomplished by seeking the services of a firm which specializes in this field.

Sense of Security is Australia's premier provider of a range of IT security and risk management solutions. Its services include IT security reviews, penetration testing, audit and PCI compliance. Sense of Security provides PCI compliance services through its team of QSA's to many of the countries leading organisations.